For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:

The QMS used is established by the Federal government or a standards developing organization.

The QMS used is mapped to one or more QMS established by the Federal government or standards developing organization(s).

When a single QMS was used for applicable capabilities, it would only need to be identified once.

When different QMS were applied to specific capabilities, each QMS applied would need to be identified.

For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:

The QMS used is established by the Federal government or a standards developing organization.

The QMS used is mapped to one or more QMS established by the Federal government or standards developing organization(s).

When a single QMS was used for applicable capabilities, it would only need to be identified once.

When different QMS were applied to specific capabilities, each QMS applied would need to be identified.

Please consult the Final Rule entitled: 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications for a detailed description of the certification criterion with which these testing steps are associated. We also encourage developers to consult the Certification Companion Guide in tandem with the test procedure as they provide clarifications that may be useful for product development and testing.

Note: The order in which the test steps are listed reflects the sequence of the certification criterion and does not necessarily prescribe the order in which the test should take place.

Testing components

Testing must be conducted for one of the Alternatives outlined below to satisfy the requirements for this criteria.

Paragraphs (g)(4)(i)(A)–(B) (Alternative)

System Under Test

The health IT developer identifies the QMS used in the development, testing, implementation, and maintenance for all criteria, for which certification is being sought, from among one of the recognized Federal Government or SDO established QMSes, including, but not limited to: 21 CFR part 820, ISO 9001, ISO 14971, ISO 13485, and IEC 62304.

The health IT developer illustrates how their QMS maps to one or more recognized Federal Government or SDO established QMSes through documentation and explanation linking the components of their QMS to an established QMS, identifying any gaps.

Test Lab Verification

The tester verifies that the QMS used is one of those that have been established by the Federal Government or an SDO, including, but not limited to: FDA’s quality system regulation in 21 CFR part 820, ISO 9001, ISO 14971, ISO 13485, and IEC 62304.

The tester verifies that the QMS is mapped to one or more of the standards established by the Federal Government or an SDO. The tester verifies that any identified gaps have been documented and explained.

Testing must be conducted for one of the Alternatives outlined below to satisfy the requirements for this criteria.

Paragraphs (g)(4)(i)(A)–(B) (Alternative)

System Under Test

Test Lab Verification

The health IT developer identifies the QMS used in the development, testing, implementation, and maintenance for all criteria, for which certification is being sought, from among one of the recognized Federal Government or SDO established QMSes, including, but not limited to: 21 CFR part 820, ISO 9001, ISO 14971, ISO 13485, and IEC 62304.

The health IT developer illustrates how their QMS maps to one or more recognized Federal Government or SDO established QMSes through documentation and explanation linking the components of their QMS to an established QMS, identifying any gaps.

The tester verifies that the QMS used is one of those that have been established by the Federal Government or an SDO, including, but not limited to: FDA’s quality system regulation in 21 CFR part 820, ISO 9001, ISO 14971, ISO 13485, and IEC 62304.

The tester verifies that the QMS is mapped to one or more of the standards established by the Federal Government or an SDO. The tester verifies that any identified gaps have been documented and explained.

Paragraph (g)(4)(ii) (Alternative)

System Under Test

The health IT developer identifies the single QMS used for all criteria for which they are seeking certification.

Test Lab Verification

The tester verifies that the one QMS identified is used for all criteria for which the health IT developer is seeking certification.

Paragraph (g)(4)(ii) (Alternative)

System Under Test

Test Lab Verification

The health IT developer identifies the single QMS used for all criteria for which they are seeking certification.

The tester verifies that the one QMS identified is used for all criteria for which the health IT developer is seeking certification.

Paragraph (g)(4)(iii) (Alternative)

System Under Test

The health IT developer identifies each QMS applied to the specific corresponding criteria, for which certification is being sought.

Test Lab Verification

The tester verifies that each QMS applied to a specific criteria for which certification is being sought, is identified.

Paragraph (g)(4)(iii) (Alternative)

System Under Test

Test Lab Verification

The health IT developer identifies each QMS applied to the specific corresponding criteria, for which certification is being sought.

The tester verifies that each QMS applied to a specific criteria for which certification is being sought, is identified.

Version 1.1
Updated on 01-27-2017

Revision History

Version #

Description of Change

Version Date

1.0

Initial Publication

10-26-2015

1.1

Reorganized clarifications for clarity.

Added clarification for implementation aspects related to integrating with relevant capabilities, including relied upon software.

Added clarification regarding the applicability and requirements for the mapping provisions, including application to agile development.

01-27-2017

Regulation Text

Regulation Text

§170.315 (g)(4) Quality management system—

For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:

The QMS used is established by the Federal government or a standards developing organization.

The QMS used is mapped to one or more QMS established by the Federal government or standards developing organization(s).

When a single QMS was used for applicable capabilities, it would only need to be identified once.

When different QMS were applied to specific capabilities, each QMS applied would need to be identified.

For each capability that a technology includes and for which that capability's certification is sought, the use of a Quality Management System (QMS) in the development, testing, implementation, and maintenance of that capability must be identified that satisfies one of the following ways:

The QMS used is established by the Federal government or a standards developing organization.

The QMS used is mapped to one or more QMS established by the Federal government or standards developing organization(s).

When a single QMS was used for applicable capabilities, it would only need to be identified once.

When different QMS were applied to specific capabilities, each QMS applied would need to be identified.

Certification Companion Guide: Quality management system

This Certification Companion Guide (CCG) is an informative document designed to assist with health IT product development. The CCG is not a substitute for the 2015 Edition final regulation. It extracts key portions of the rule’s preamble and includes subsequent clarifying interpretations. To access the full context of regulatory intent please consult the 2015 Edition final rule or other included regulatory reference. The CCG is for public use and should not be sold or redistributed.

This certification criterion was adopted at § 170.315(g)(4). There are no associated privacy and security certification requirements for this criterion.

Certification Requirements

This certification criterion was adopted at § 170.315(g)(4). There are no associated privacy and security certification requirements for this criterion.

Technical Explanations and Clarifications

Applies to entire criterion

Clarifications:

There is no standard required for this certification criterion.

All Health IT Modules certified to the 2015 Edition must be certified to the 2015 Edition QMS criterion.

This criterion is applicable to self-developed and open source software as well.

The focus and intent of the criterion is the identification of the QMS used, not a determination of compliance by the ONC-ACB with the identified QMS. [see also 80 FR 62673]

Applies to entire criterion

Clarifications:

There is no standard required for this certification criterion.

All Health IT Modules certified to the 2015 Edition must be certified to the 2015 Edition QMS criterion.

This criterion is applicable to self-developed and open source software as well.

The focus and intent of the criterion is the identification of the QMS used, not a determination of compliance by the ONC-ACB with the identified QMS. [see also 80 FR 62673]

Paragraph (g)(4)(i)

Technical outcome – The specific QMS used in the development, testing, implementation and maintenance for each criteria/capability that certification is being sought must be identified.

Clarifications:

The QMS must be established by the Federal government or a standards developing organization (SDO); or mapped to one or more quality management systems established by the Federal government or standards developing organization(s). [see also 80 FR 62672]

The "implementation" aspects of QMS requirements would be expected to include and address integrating with relevant capabilities such as software relied upon for certification.

Paragraph (g)(4)(i)

Technical outcome – The specific QMS used in the development, testing, implementation and maintenance for each criteria/capability that certification is being sought must be identified.

Clarifications:

The QMS must be established by the Federal government or a standards developing organization (SDO); or mapped to one or more quality management systems established by the Federal government or standards developing organization(s). [see also 80 FR 62672]

The "implementation" aspects of QMS requirements would be expected to include and address integrating with relevant capabilities such as software relied upon for certification.

Paragraph (g)(4)(i)(A)

Technical outcome – Identify the specific QMS used that was established by the Federal government or an SDO.

FDA's quality system regulation in 21 CFR part 820, so long as the developer cites their compliance with FDA's Quality System regulations for certification

ISO 9001

ISO 14971

ISO 13485

IEC 62304

ISO 12207

IEEE 730

ISO 14764

ISO 80001

Paragraph (g)(4)(i)(B)

Technical outcome – If not using a specific Federal government or SDO established QMS, the developer must map the QMS to one or more specific Federal government or SDO established QMS.

Clarifications:

For non-Federal government or non-SDO QMS methods, such as a modified version of an established QMS, a “home grown” QMS, agile development or other method, the QMS/method must be mapped to one or more specific Federal government or SDO established QMS. [see 80 FR 62672-62673] The mapping must be done through documentation and explanation that links the components of their QMS/method to an established QMS and identifies any gaps in their QMS as compared to an established QMS. [80 FR 62672]

There is no expectation that there will be detailed documentation of historical QMS or its absence. The documentation of the current status of the health IT development organization will suffice. [80 FR 16858]

Paragraph (g)(4)(i)(B)

Technical outcome – If not using a specific Federal government or SDO established QMS, the developer must map the QMS to one or more specific Federal government or SDO established QMS.

Clarifications:

For non-Federal government or non-SDO QMS methods, such as a modified version of an established QMS, a “home grown” QMS, agile development or other method, the QMS/method must be mapped to one or more specific Federal government or SDO established QMS. [see 80 FR 62672-62673] The mapping must be done through documentation and explanation that links the components of their QMS/method to an established QMS and identifies any gaps in their QMS as compared to an established QMS. [80 FR 62672]

There is no expectation that there will be detailed documentation of historical QMS or its absence. The documentation of the current status of the health IT development organization will suffice. [80 FR 16858]

Paragraph (g)(4)(ii)

Technical outcome – If a single QMS was used for all applicable capabilities/criteria for which certification is being sought, it would only need to be identified once.

Clarifications:

In the case where the whole development organization uses the same QMS across all teams, then this certification criterion may be met with one report. [see also 77 FR 54191]

Paragraph (g)(4)(ii)

Technical outcome – If a single QMS was used for all applicable capabilities/criteria for which certification is being sought, it would only need to be identified once.

Clarifications:

In the case where the whole development organization uses the same QMS across all teams, then this certification criterion may be met with one report. [see also 77 FR 54191]

Paragraph (g)(4)(iii)

Technical outcome – If different QMS were applied to specific capabilities/criteria, each QMS applied would need to be identified for the respective capability/criteria.

Clarifications:

Where there is variability across teams working on different functional components of the health IT, the health IT developer will need to indicate the individual QMS' followed for the applicable certification criteria for which the technology is submitted for certification. [see also 77 FR 54191]

Paragraph (g)(4)(iii)

Technical outcome – If different QMS were applied to specific capabilities/criteria, each QMS applied would need to be identified for the respective capability/criteria.

Clarifications:

Where there is variability across teams working on different functional components of the health IT, the health IT developer will need to indicate the individual QMS' followed for the applicable certification criteria for which the technology is submitted for certification. [see also 77 FR 54191]